Category Archives: Windows 10

Windows 10 Blue Screen of Death (BSOD): PDC_WATCHDOG_TIMEOUT

A little while ago I encountered an issue on multiple models of Lenovo laptops where after the laptop’s inactivity timer induced a sleep event, upon waking the laptop I was presented with a BSOD stating PDC_WATCHDOG_TIMEOUT (NOTE: PDC stands for “Power Dependency Coordinator).

The issue was easily reproduce-able by setting the laptop’s sleep time to be 1 minute, and then waiting a minute and then waking the laptop.

A little bit of research turned up this Microsoft answers forum post: Microsoft Surface Pro (2017) BSOD PDC_WATCHDOG_TIMEOUT pdc.sys with Trend Micro Anti Virus.

While this post specified “Microsoft Surface Pro (2017)”, the “with Trend Micro Anti Virus” caught my eye, as all affected laptops were running Trend Micro OfficeScan 11. (NOTE: All laptops were also running Windows 10 Creators Update (1703)).

According to a reply to the initial forum post:

the issue is because [Trend Micro] Behaviour Monitoring is unable to handle events from sleep mode

Simply disabling sleep mode was not an option due to end-user preferences, and as these were NOT Surface Pro devices, the following link from another reply to the initial forum post was not applicable How to Unlock Power Plans on Surface Devices.

So I chose to test the following instructions:

1. Rename AEGIS drivers and create a folder with same name:
c:\windows\system32\drivers\tmcomm.sys
c:\windows\system32\drivers\tmactmon.sys
c:\windows\system32\drivers\tmevtmgr.sys

(ps: For example, take tmcomm.sys and rename it as tmcomm.sys.bak; then create a folder named tmcomm.sys)

2. Create the following registry key entry:
[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\aegis]
PowerMonitorTime=dword:0x10

Please note, should you follow these instructions, IT WILL DISABLE the Trend Micro AEGIS (Behavior Monitoring Service) driver. What does this driver do? Per the following links, Behavior Monitoring and Blocking malicious activities using Behavior Monitoring in OfficeScan (OSCE):

Behavior Monitoring constantly monitors endpoints for unusual modifications to the operating system or on installed software. Behavior Monitoring protects endpoints through Malware Behavior Blocking and Event Monitoring. Complementing these two features are a user-configured exception list and the Certified Safe Software Service.

Important:
– Behavior Monitoring does not support Windows XP or Windows 2003 64-bit platforms.
– Behavior Monitoring does support Windows Vista 64-bit platforms with SP1 or later.
– By default, Behavior Monitoring is disabled on all versions of Windows Server 2003, Windows Server 2008, and Windows Server 2012. Before enabling Behavior Monitoring on these server platforms, read the guidelines and best practices outlined in OfficeScan Agent Services.

and

Behavior Monitoring controls access to external storage devices and network resources, regulating potential avenues for data leakage or malware infection. Through the Client Self Protection feature, Behavior Monitoring also enhances endpoint protection by keeping security-related processes always up and running, and by protecting the OfficeScan client files and registry keys.

After performing the above steps, regarding the tmcomm, tmacmon, and tmevtmgr sys files, I was no longer able to reproduce the issue.

This was not a permanent resolution as it breaks an important function within the anti-virus service.

UPDATE: It appears that Trend now has a patch to resolve this issue – Blue Screen of Death (BSoD) occurs when Microsoft Surface Pro exits sleep mode. We will be rolling out this patch to address the issue, and once it is done I will re-evaluate.